[aprssig] aprsis DOS in Poland, observation
spam8mybrain
spam8mybrain at yahoo.com
Sat Sep 5 13:46:49 EDT 2020
The mechanism to use PKI already exists, but there are a lot of issues regarding administration that haven't been resolved, and it still doesn't protect against abusive behavior by an authenticated user.
Plus, since many APRS-IS clients don't support TLS connections to the backbone, we still have to support the completely compromised passcode means of authentication. Hence why I proposed a throttling solution to protect against hostile attackers (who, by definition, aren't going to play nice with the rest of us). Now whether a PKI-authenticated client could be granted a higher throttling threshold is a different issue, but it still goes back to the unresolved PKI administration issues (such as why, currently, a single US-based entity [the ARRL] is the sole gatekeeper to PKI-authenticated access to the world-wide APRS-IS).Andrew, KA2DDO
-------- Original message --------
From: Mobilinkd LLC <mobilinkd at gmail.com>
Date: 9/5/20 13:07 (GMT-05:00)
To: Heikki Hannikainen <hessu at hes.iki.fi>
Cc: TAPR APRS Mailing List <aprssig at lists.tapr.org>
Subject: Re: [aprssig] aprsis DOS in Poland, observation
Would it be worthwhile discussing whether to use PKI for APRS-IS authentication?I just discovered that there is a registered X.509 extension for ham radio callsigns and that we already have a CA in LOTW.https://perens.com/2019/07/02/yes-it-is-legal-to-use-cryptographic-signature-on-amateur-radio-and-thats-important/Kind Regards,Rob Riggs WX9OMobilinkd LLCOn Sat, Sep 5, 2020 at 6:15 AM Heikki Hannikainen <hessu at hes.iki.fi> wrote:On Fri, 4 Sep 2020, Bill Vodall wrote:
> Is aprs-is under a Denial of Services attack by jankesi and others?
> Looks like multiple packets arriving every second.
The packet rate during the DOS abuse event last night was some 1500-1700
packets per second at peak.
https://www.dropbox.com/s/tztvaup286vzwnb/aprsfi-polish-abuse-20200904-traffic.png?dl=0
Some APRS-IS clients on the full feed could not take this traffic (too
slow to process, or too slow network, buffers fill up) and got
disconnected. As a network traffic rate, it was only around 1.4 Mbit/s sec
though. Due to a bug, the two APRS-IS data aggregator aprsc instances at
aprs.fi crashed too, leaving aprs.fi without a data feed.
This is how it looked on the map, screen shot courtesy of Mateusz Szyper
on the aprs.fi discussion group:
https://www.dropbox.com/s/5wbjtttkkw1munh/aprs-polish-abuse-20200904-map.jpg?dl=0
And here are a few sample packets, showing what the randomly generated
packets looked like. The coordinates are random, in Poland, with the
clear intention of polluting the map fully.
2020-09-04 19:48:27 EEST: CI37PA>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5031.68N\01844.35EZ jeszcze nie dojrzalem.
2020-09-04 19:48:46 EEST: CI371PY-3>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5248.72N/01933.83EX sie draznic z ludzmi.
2020-09-04 19:45:58 EEST: CI37PA-21>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5411.38N\01600.85E-2 Jebane kurwy cebulaki.
2020-09-04 19:48:56 EEST: CI37PA-20>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5051.97N/01543.24Eb masz, masz.
2020-09-04 19:49:26 EEST: CI37PA-88>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5002.85N/02147.17Ec pomarancza kurwo niebieska.
Here's more, each source callsign emitted packets at random coordinates
with comments from some pool of (obscene) text, so you can just pick one
call and watch:
https://aprs.fi/?c=raw&limit=&call=CI37PA-9
I haven't looked at a large data set yet; these samples were from a very
small set of a thousand packets that I took a quick look at now. These
packets were injected using an igate call of SQ6KPO-1 but there's no
reason why that could not be a random call in the future. Also, it would
be *very* unlikely that SQ6KPO is the callsign of the person doing this
abuse - it is more likely that the intention is to abuse him by using his
callsign.
It's easy to write a client to do this kind of abuse, and easy to improve
it (make more things random), and after that it's quite difficult to fully
filter.
This is just to describe what happened, and what you should expect to see
in the future. We've been lucky to have very little abuse and DOS attacks
so far.
- Hessu
_______________________________________________
aprssig mailing list
aprssig at lists.tapr.org
http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200905/4d29f771/attachment.html>
More information about the aprssig
mailing list